The changing nature of authentication (PaperCut V13.4)

We’re always amazed at how multi-factor authentication has taken over all computing life. We’re seeing two-factor authentication to access your bank account, email and even video games have it now! Copiers with PaperCut installed have been using this technology for years with the combination of proximity card and pin. It’s taken a while, but now we’re seeing more multi-factor authentication on the desktop login in corporate organizations.

There are plenty of advantages to card based authentication on the desktop such as reducing the reliance on complex passwords. However, there is no point in chasing this game if all your other systems around the network are still using your old complex passwords. This is where Single Sign-on (SSO) makes a resurgence.

PaperCut version 13.4 introduces Single Sign-on to the web interface login. This means that users can authenticate once on the desktop and then they are automatically granted access to your local PaperCut. No re-login required!

Believe it or not, PaperCut already had SSO back in 2005! We quickly saw that this caused issues in the education environment. Picture this: Student A and Student B were best friends. Student A walked away from their desktop, giving Student B the chance to open up a web browser and transfer their print credit across to himself! Student A and Student B are now no longer best friends… The automatic login advantages of SSO can be a double edged sword.

SSO is great for the corporate environment, for an administrator logins or for integrating PaperCut into your intranet site . This time, we’ve added it back in with a raft of security options to control where and how it is used.

Of course, like all usual PaperCut releases, we’ve added in a whole lot more than this. Check out the full release history:

Comments

We’ve modified the Webauth instructions to get PaperCut to authenticate against a Shibboleth Identity Provider as well. Thanks for this function, it’s extremely useful!

Chris

That’s great! Are you able to email through some details to us in support? We’d love to share your findings in a Knowledge Base article. With the increasing use of SSO I’m sure well find more sites using Shibboleth moving forward.

Jason, there’s always a chance, but we’ll need to see what sort of demand we have for a CAS implementation. Adding Windows support was the key missing piece for many customers. Our WebAuth implementation is quite general and it may be possible to use it in conjunction with other SSO systems as James has suggested for Shibboleth.

Brian Hayes

I’m interested, we use Active Directory Federated Services (ADFS) to talk to Shibboleth servers and other identity providers.

Ben Nakagawa

+1 to this.

Internally the windows integrated authentication woks very nicely. We want to use SSO for web-print client who si mostly access service external network, Other service we providing use ADFS to authenticate so if PaperCut also support this it will be a perfect world as we can provide single method of authentication.

Ben Nakagawa

Oh, it is even perfect, if it use IWA within same network and ADFS from external (if failed to auth with IWA) like second option.

Christopher Hoskin

Googling suggests that it is possible to use mod_auth_cas in conjunction with a reverse proxy, so I would imagine it would be possible to use PaperCut 13.4 with CAS. However, I have no experience with CAS myself. This is also being discussed here: https://www.papercut.com/products/ng/manual/ch-sso.html